# Default values for cert-manager. # This is a YAML-formatted file. # Declare variables to be passed into your templates. global: ## Reference to one or more secrets to be used when pulling images ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## imagePullSecrets: [] # - name: "image-pull-secret" # Optional priority class to be used for the cert-manager pods priorityClassName: "" rbac: create: true podSecurityPolicy: enabled: false useAppArmor: true # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. logLevel: 2 leaderElection: # Override the namespace used to store the ConfigMap for leader election namespace: "kube-system" # The duration that non-leader candidates will wait after observing a # leadership renewal until attempting to acquire leadership of a led but # unrenewed leader slot. This is effectively the maximum duration that a # leader can be stopped before it is replaced by another candidate. # leaseDuration: 60s # The interval between attempts by the acting master to renew a leadership # slot before it stops leading. This must be less than or equal to the # lease duration. # renewDeadline: 40s # The duration the clients should wait between attempting acquisition and # renewal of a leadership. # retryPeriod: 15s installCRDs: true replicaCount: 1 strategy: {} # type: RollingUpdate # rollingUpdate: # maxSurge: 0 # maxUnavailable: 1 # Comma separated list of feature gates that should be enabled on the # controller pod. featureGates: "" image: repository: quay.io/jetstack/cert-manager-controller # You can manage a registry with # registry: quay.io # repository: jetstack/cert-manager-controller # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. # tag: canary # Setting a digest will override any tag # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 pullPolicy: IfNotPresent # Override the namespace used to store DNS provider credentials etc. for ClusterIssuer # resources. By default, the same namespace as cert-manager is deployed within is # used. This namespace will not be automatically created by the Helm chart. clusterResourceNamespace: "" serviceAccount: # Specifies whether a service account should be created create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template # name: "" # Optional additional annotations to add to the controller's ServiceAccount # annotations: {} # Automount API credentials for a Service Account. automountServiceAccountToken: true # Optional additional arguments extraArgs: [] # Use this flag to set a namespace that cert-manager will use to store # supporting resources required for each ClusterIssuer (default is kube-system) # - --cluster-resource-namespace=kube-system # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted # - --enable-certificate-owner-ref=true # Use this flag to enabled or disable arbitrary controllers, for example, disable the CertificiateRequests approver # - --controllers=*,-certificaterequests-approver extraEnv: [] # - name: SOME_VAR # value: 'some value' resources: {} # requests: # cpu: 10m # memory: 32Mi # Pod Security Context # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: runAsNonRoot: true # legacy securityContext parameter format: if enabled is set to true, only fsGroup and runAsUser are supported # securityContext: # enabled: false # fsGroup: 1001 # runAsUser: 1001 # to support additional securityContext parameters, omit the `enabled` parameter and simply specify the parameters # you want to set, e.g. # securityContext: # fsGroup: 1000 # runAsUser: 1000 # runAsNonRoot: true # Container Security Context to be set on the controller component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true volumes: [] volumeMounts: [] # Optional additional annotations to add to the controller Deployment # deploymentAnnotations: {} # Optional additional annotations to add to the controller Pods # podAnnotations: {} podLabels: {} # Optional additional labels to add to the controller Service # serviceLabels: {} # Optional additional annotations to add to the controller service # serviceAnnotations: {} # Optional DNS settings, useful if you have a public and private DNS zone for # the same domain on Route 53. What follows is an example of ensuring # cert-manager can access an ingress or DNS TXT records at all times. # NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for # the cluster to work. # podDnsPolicy: "None" # podDnsConfig: # nameservers: # - "1.1.1.1" # - "8.8.8.8" nodeSelector: {} ingressShim: {} # defaultIssuerName: "" # defaultIssuerKind: "" # defaultIssuerGroup: "" prometheus: enabled: true servicemonitor: enabled: false prometheusInstance: default targetPort: 9402 path: /metrics interval: 60s scrapeTimeout: 30s labels: {} # Use these variables to configure the HTTP_PROXY environment variables # http_proxy: "http://proxy:8080" # https_proxy: "https://proxy:8080" # no_proxy: 127.0.0.1,localhost # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core # for example: # affinity: # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # nodeSelectorTerms: # - matchExpressions: # - key: foo.bar.com/role # operator: In # values: # - master affinity: {} # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core # for example: # tolerations: # - key: foo.bar.com/role # operator: Equal # value: master # effect: NoSchedule tolerations: [] webhook: replicaCount: 1 timeoutSeconds: 10 strategy: {} # type: RollingUpdate # rollingUpdate: # maxSurge: 0 # maxUnavailable: 1 # Pod Security Context to be set on the webhook component Pod # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: runAsNonRoot: true # Container Security Context to be set on the webhook component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # Optional additional annotations to add to the webhook Deployment # deploymentAnnotations: {} # Optional additional annotations to add to the webhook Pods # podAnnotations: {} # Optional additional annotations to add to the webhook MutatingWebhookConfiguration # mutatingWebhookConfigurationAnnotations: {} # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration # validatingWebhookConfigurationAnnotations: {} # Optional additional annotations to add to the webhook service # serviceAnnotations: {} # Optional additional arguments for webhook extraArgs: [] resources: {} # requests: # cpu: 10m # memory: 32Mi ## Liveness and readiness probe values ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## livenessProbe: failureThreshold: 3 initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 3 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 nodeSelector: {} affinity: {} tolerations: [] # Optional additional labels to add to the Webhook Pods podLabels: {} # Optional additional labels to add to the Webhook Service serviceLabels: {} image: repository: quay.io/jetstack/cert-manager-webhook # You can manage a registry with # registry: quay.io # repository: jetstack/cert-manager-webhook # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. # tag: canary # Setting a digest will override any tag # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 pullPolicy: IfNotPresent serviceAccount: # Specifies whether a service account should be created create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template # name: "" # Optional additional annotations to add to the controller's ServiceAccount # annotations: {} # Automount API credentials for a Service Account. automountServiceAccountToken: true # The port that the webhook should listen on for requests. # In GKE private clusters, by default kubernetes apiservers are allowed to # talk to the cluster nodes only on 443 and 10250. so configuring # securePort: 10250, will work out of the box without needing to add firewall # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 securePort: 10250 # Specifies if the webhook should be started in hostNetwork mode. # # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom # CNI (such as calico), because control-plane managed by AWS cannot communicate # with pods' IP CIDR and admission webhooks are not working # # Since the default port for the webhook conflicts with kubelet on the host # network, `webhook.securePort` should be changed to an available port if # running in hostNetwork mode. hostNetwork: false # Specifies how the service should be handled. Useful if you want to expose the # webhook to outside of the cluster. In some cases, the control plane cannot # reach internal services. serviceType: ClusterIP # loadBalancerIP: # Overrides the mutating webhook and validating webhook so they reach the webhook # service using the `url` field instead of a service. url: {} # host: cainjector: enabled: true replicaCount: 1 strategy: {} # type: RollingUpdate # rollingUpdate: # maxSurge: 0 # maxUnavailable: 1 # Pod Security Context to be set on the cainjector component Pod # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: runAsNonRoot: true # Container Security Context to be set on the cainjector component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # Optional additional annotations to add to the cainjector Deployment # deploymentAnnotations: {} # Optional additional annotations to add to the cainjector Pods # podAnnotations: {} # Optional additional arguments for cainjector extraArgs: [] resources: {} # requests: # cpu: 10m # memory: 32Mi nodeSelector: {} affinity: {} tolerations: [] # Optional additional labels to add to the CA Injector Pods podLabels: {} image: repository: quay.io/jetstack/cert-manager-cainjector # You can manage a registry with # registry: quay.io # repository: jetstack/cert-manager-cainjector # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. # tag: canary # Setting a digest will override any tag # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 pullPolicy: IfNotPresent serviceAccount: # Specifies whether a service account should be created create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template # name: "" # Optional additional annotations to add to the controller's ServiceAccount # annotations: {} # Automount API credentials for a Service Account. automountServiceAccountToken: true # This startupapicheck is a Helm post-install hook that waits for the webhook # endpoints to become available. # The check is implemented using a Kubernetes Job- if you are injecting mesh # sidecar proxies into cert-manager pods, you probably want to ensure that they # are not injected into this Job's pod. Otherwise the installation may time out # due to the Job never being completed because the sidecar proxy does not exit. # See https://github.com/jetstack/cert-manager/pull/4414 for context. startupapicheck: enabled: true # Pod Security Context to be set on the startupapicheck component Pod # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: runAsNonRoot: true # Timeout for 'kubectl check api' command timeout: 1m # Job backoffLimit backoffLimit: 4 # Optional additional annotations to add to the startupapicheck Job jobAnnotations: helm.sh/hook: post-install helm.sh/hook-weight: "1" helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded # Optional additional annotations to add to the startupapicheck Pods # podAnnotations: {} # Optional additional arguments for startupapicheck extraArgs: [] resources: {} # requests: # cpu: 10m # memory: 32Mi nodeSelector: {} affinity: {} tolerations: [] # Optional additional labels to add to the startupapicheck Pods podLabels: {} image: repository: quay.io/jetstack/cert-manager-ctl # You can manage a registry with # registry: quay.io # repository: jetstack/cert-manager-ctl # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. # tag: canary # Setting a digest will override any tag # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 pullPolicy: IfNotPresent rbac: # annotations for the startup API Check job RBAC and PSP resources annotations: helm.sh/hook: post-install helm.sh/hook-weight: "-5" helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded serviceAccount: # Specifies whether a service account should be created create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template # name: "" # Optional additional annotations to add to the Job's ServiceAccount annotations: helm.sh/hook: post-install helm.sh/hook-weight: "-5" helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded # Automount API credentials for a Service Account. automountServiceAccountToken: true